SSL certificate selection

更新时间:
复制 MD 格式

Selecting the right SSL certificate is critical for securing your website, building visitor trust, and meeting compliance requirements. An incorrect choice can lead to service interruptions, security vulnerabilities, or unnecessary costs. This article provides a scenario-driven quick-match guide and a structured, parameter-based decision process to help you identify the required validation level, domain type, encryption algorithm, and brand, and select an optimal solution that balances security, compatibility, and cost-effectiveness.

Important

In late June 2024, Certificate Management Service renamed free SSL certificates to Personal Test Certificates (Free Edition) and upgraded certificates (valid for 12 months) to Personal Test Certificates (Pro). See [Notice] Free Certificate Name Change for more information.

Quick selection

Scenario 1: Personal, development, or test use

  • Use cases: Ideal for non-commercial and non-production purposes, such as personal blogs, portfolio websites, local development environments, CI/CD testing pipelines, and educational demonstrations.

  • Key needs: Low cost, fast deployment, and no need for high availability.

  • Recommended certificate types:

    • Individual Test Certificate (Free): Suitable for cost-sensitive users. This certificate is valid for 90 days. You can apply for up to 20 certificates each calendar year and must manually renew it upon expiration.

    • Individual Test Certificate (Pro): Ideal for users who want to reduce maintenance. This low-cost certificate is valid for one year, reducing the need for frequent renewals.

    Note

    Both Individual Test Certificate (Free) and Individual Test Certificate (Pro) are DigiCert-branded DV single-domain certificates.

  • Important notes:

Scenario 2: SMEs, e-commerce, and mini programs

  • Use cases: Public-facing production systems such as corporate websites, small to medium-sized e-commerce platforms, backend services for WeChat mini programs, and SaaS application gateways.

  • Key needs: Stable HTTPS encryption, a moderate level of trust, and high cost-effectiveness.

  • Recommended certificate type: DV wildcard certificate or OV single-domain certificate.

  • Validation level: DV or OV.

  • Domain support: Wildcard (*.aliyundoc.com) or single domain.

  • Recommended brands: International brands (Rapid, GeoTrust, DigiCert) and Chinese domestic brands (WoSign, vTrus).

  • Important notes:

    • To protect multiple subdomains, a wildcard certificate is recommended.

    • If you want to display your company's information in the certificate to enhance user trust, choose an OV certificate.

Scenario 3: Finance, government, or high-trust services

  • Use cases: Mission-critical systems with extremely high security and compliance requirements, such as online banking, securities trading systems, government service platforms, large enterprise customer portals, and payment gateways.

  • Key needs: The highest level of identity assurance, industry compliance, and brand credibility.

  • Recommended certificate type: EV certificate or OV certificate.

  • Validation level: EV / OV.

  • Domain support: Single or multiple domains, depending on the business architecture. EV certificates do not support wildcard domains due to industry standard limitations. If you need a wildcard certificate, choose an OV certificate.

  • Recommended brands: International brands (GeoTrust, GlobalSign, DigiCert) and Chinese domestic brands (CFCA, vTrus).

  • Important notes:

    • Major modern browsers, such as Chrome, Edge, and Safari, no longer display the company name directly in the address bar (the "green bar"). Company information now appears in the certificate details panel.

    • EV certificates still provide the highest standard of identity verification and have full legal validity. They remain the top choice for finance and government systems to prevent phishing attacks and build user trust.

  • Industry examples:

    Industry

    Example

    Certificate brand

    Certificate type

    Encryption algorithm

    Domain type

    Finance and Banking

    Bank of China

    DigiCert

    EV

    RSA

    Single domain

    Internet and Finance

    Alibaba Cloud, Taobao, Tmall

    GlobalSign

    OV

    RSA

    Wildcard domain

    Sina, Toutiao

    GeoTrust

    Shanghai Gold Exchange

    CFCA

Scenario 4: Special requirements

Chinese cryptographic algorithm (SM2) compliance

  • Use cases: Government cloud platforms, financial information systems, and critical infrastructure that must use Chinese cryptographic algorithms (SM2) to comply with the Regulations on the Administration of Commercial Cryptography.

  • Recommended certificate type: SM2 certificate.

  • Validation level: OV / EV (depending on the brand).

  • Domain support: Single domain or wildcard domain.

  • Recommended brands: vTrus, CFCA, WoSign.

  • Important notes: Before you use an SM2 certificate, ensure your server software supports the SM SSL/TLS protocol stack, such as Tongsuo or an SM-enabled version of Nginx.

Public IP address access

  • Use cases: Devices or systems that serve traffic directly over a public IPv4 address and cannot be configured with a domain name, such as IoT gateways, edge servers, or legacy systems.

  • Recommended certificate type: OV single-domain certificate (supports IP).

  • Validation level: OV.

  • Domain support: Public IPv4 address (only for specific brands).

  • Recommended brands: International brands (GlobalSign, DigiCert, GeoTrust) and Chinese domestic brands (vTrus, CFCA).

  • Important notes: Only OV single-domain certificates from GlobalSign, DigiCert, GeoTrust, vTrus, and CFCA support binding to an IP address.

Note

If the scenarios above do not meet your needs, see the advanced selection section. You can also visit the product page or consult a technical expert using the Expert One-on-One Service in the console.

Selection parameters

Selection process

Use this guide to select a certificate that fits your business needs:

  1. Step 1: Certificate category

    • For personal projects, development, testing, or learning demos → Choose a Personal Test Certificate (Free Edition or Pro).

      Note

      Personal Test Certificate (Free Edition or Pro) only supports the DV validation level and the RSA algorithm.

    • For a production environment or external-facing service → Choose a Commercial Certificate and proceed to Step 2.

  2. Step 2: Validation level

    • If you only need basic HTTPS encryption and do not need to display company information → Choose DV.

    • To display your organization's identity in the certificate and build user trust → Choose OV.

    • If you operate in a high-compliance sector such as finance, government, or payments → Choose EV.

    Note

    EV certificates do not support wildcard domains.

  3. Step 3: Domain type

    • To protect only a single domain (e.g., www.example.com) → Choose a single-domain certificate.

    • To protect all subdomains under the same root domain (e.g., *.example.com) → Choose a wildcard certificate.

    • To protect multiple different domains (e.g., a.com + b.com) → Choose a multi-domain certificate.

    • To protect both wildcard and single domains → Choose a hybrid-domain certificate.

    • To secure a public IP address directly (without a domain) → Choose a certificate that supports IP addresses (only some OV certificates support this feature).

  4. Step 4: Encryption algorithm

    • For the widest compatibility (compatible with older devices and browsers) → Choose the RSA algorithm.

    • For higher performance and stronger security (ideal for mobile, IoT, etc.) → Choose the ECC algorithm.

    • If your business must meet SM cryptographic compliance requirements (for government, finance, state-owned enterprises, etc.) → Choose the SM2 algorithm (requires a domestic brand).

    Note

    If you have no specific requirements, we recommend the RSA algorithm for maximum compatibility.

  5. Step 5: Certificate brand

    Based on your budget and preferences, review the Pricing Information and select a brand from Certificate Brands.

Certificate types

Certificate Management Service (Original SSL Certificate) offers two types of certificates: Individual Test Certificate (Formerly Free Certificate) and Commercial Certificates. The Individual Test Certificate (Formerly Free Certificate) category includes Individual Test Certificate (Free) and Individual Test Certificate (Pro).

Note

Free SSL certificates (Personal Test Certificates) are issued under the DigiCert brand. When purchasing a commercial certificate, you can also select the DigiCert brand based on your business needs, and choose from single-domain or wildcard domain specifications.

Related concepts:

  • Remaining validity carryover: When you renew a certificate with a new one of the same brand and type before it expires, the new certificate's validity period is extended by the remaining validity from the old one. For example, if your old certificate expires on August 1, 2024, and you complete the renewal and issuance on July 20, 2024, the new certificate is valid from July 20, 2024, to August 1, 2025.

  • Certificate consolidation request: You can combine multiple certificates (domains) of the same brand and validation level into a single certificate to simplify application and management. For more information, see Certificate Consolidation Request.

  • OCSP Stability: The Online Certificate Status Protocol (OCSP) checks in real time whether a certificate has been revoked. Stability refers to the high availability and rapid response of the CA's query service, which prevents website access delays or connection failures.

Important

SSL Certificate Management V2.0 does not support renewals or certificate consolidation requests. For more information, see SSL Certificate Management V2.0 Release Notes.

Individual Test Certificate vs. Commercial Certificate

Important
  • Individual Test Certificates (including Free and Pro editions) must not be used in a production environment. Use a Commercial Certificates for enterprise-level services.

  • Both Individual Test Certificate (Free) and Individual Test Certificate (Pro) are DigiCert-branded DV single-domain certificates.

Feature

Individual test certificate

Commercial Certificates

Use cases

Personal websites, development, and testing.

All production environment services.

SLA guarantee

None

Provided. For more information, see Related Agreements.

OCSP stability

Lower. Stability is not guaranteed.

High. Stable validation is guaranteed.

CA center security insurance payout

Not supported

Supported

Validity period

  • Free: 90 days

  • Pro:

    • Issued before February 25, 2026: 1 year.

    • Issued on or after February 25, 2026: 6 months.

For more information, see Validity Period Changes.

  • Issued before February 25, 2026: 1 year.

  • Issued on or after February 25, 2026: 6 months.

For more information, see Validity Period Changes.

Supported encryption algorithms

RSA

RSA, ECC. Some brands also support SM2.

Compatibility

Fair

High

Multi-year certificate

Not supported

Supported for a service period of up to three years.

Remaining validity carryover

Not supported

Supported

Certificate quantity limit

  • Free: You can apply for 20 free certificates per calendar year.

  • Pro: No limit.

No limit

Supported domain types

Single-domain only. You cannot apply for an Individual Test Certificate for domains with special TLDs, such as .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear, and .ru.

Single-domain, wildcard domain, multi-domain, and hybrid domain.

IP certificate

Not supported

Only OV single-domain certificates from GlobalSign, DigiCert, GeoTrust, vTrus, and CFCA support IP address binding.

Domain replacement

Not supported

Rapid (DV) and DigiCert (DV) certificates do not support domain replacement. Commercial certificates of other brands and types support domain replacement.

Supported validation levels

DV

DV, OV, and EV

Supported certificate brands

DigiCert

  • International brands: DigiCert, GeoTrust, GlobalSign, and Rapid.

  • Domestic brands (China): vTrus, CFCA, and WoSign.

Certificate consolidation request

Not supported

Supported

Customer support

  • Free: Not supported.

  • Pro: Supported.

Supported

Validation levels (DV / OV / EV)

SSL certificates are classified by validation level: DV (Domain Validated), OV (Organization Validated), and EV (Extended Validation). These validation levels differ in required verification materials, average issuance time, and browser trust indicators.

Note

For personal websites without company information, you can only apply for a personal test certificate or DV SSL certificate.

Feature

DV (Domain Validated)

OV (Organization Validated)

EV (Extended Validation)

Use case

Personal websites, app services, and development or testing environments.

Government organizations, small to medium-sized enterprises (SMEs), and educational institutions.

E-commerce sites, financial institutions, and large enterprises that handle transactions or sensitive private data.

Validation level

Low. The certificate authority (CA) only verifies domain ownership.

Medium. The CA verifies the organization's real-world identity.

High. The CA strictly verifies the organization's identity and legal status.

Verification method and documents

DNS verification.

Email or phone. Requires domain verification and submission of company information, a business license, and other documents.

Email or phone. Requires domain verification and submission of company information, a business license, and other documents.

  • For GeoTrust and DigiCert certificates, a bank account license is also required.

  • For CFCA certificates, an application form, attorney's license, legal opinion letter, and the applicant's passport are also required.

Security level

Basic. Encrypts data in transit. The CA only verifies that the applicant controls the domain, so it does not confirm the identity of the organization behind the website.

Enhanced. Encrypts data in transit and displays the organization's verified identity in the certificate details. The CA verifies the organization's legal existence and physical address.

Maximum. Provides the highest level of identity assurance. The CA performs the most rigorous vetting, including verifying the organization's legal, physical, and operational existence. The certificate contains the verified organization name visible in browser certificate details.

Browser display

Displays the padlock icon and HTTPS indicator in the address bar. No organization identity is shown.

Displays the padlock icon and HTTPS indicator. The organization's verified name appears in the certificate details panel when users inspect the certificate.

Displays the padlock icon and HTTPS indicator. Modern browsers no longer show a green address bar, but the organization's verified identity is prominently displayed in the certificate details panel, providing the strongest visual trust signal available.

Price level

Lowest

Medium (DV < OV)

Highest (OV < EV)

Average issuance time

1–15 minutes.

5 calendar days

5 calendar days

How to choose a validation level

Use the following guidance to select the right validation level for your scenario:

  • DV certificate: Best for personal websites, mobile apps, or enterprise test environments. Choose DV when you only need basic HTTPS encryption without identity verification. It is the most cost-effective option with the fastest issuance time.

  • OV certificate: Recommended for government organizations, small to medium-sized enterprises (SMEs), and educational institutions that need to display their verified identity to visitors. Choose OV when your users need to know that a real, verified organization operates the website.

  • EV certificate: The top choice for large enterprises, financial institutions, and websites handling transactions or highly sensitive data. Choose EV when your business requires the highest level of identity trust and legal assurance. EV certificates undergo the most rigorous validation process.

Price hierarchy: DV certificates are the most affordable, followed by OV, with EV certificates at the highest price tier (DV < OV < EV). For detailed pricing, see Pricing Information.

Domain types

An SSL certificate must be bound to a domain name or IP address to take effect. The number and types of domains you need to secure determine the required certificate type and quantity. Alibaba Cloud supports certificates for the following domain types: single domain, multi-domain, wildcard domain, and hybrid domain. The following table compares these domain types and describes their corresponding certificates.

Domain type

Description

Notes

Single domain

Binds one certificate to a single, fully qualified domain name, such as www.aliyundoc.com.

Supports DV, OV, and EV validation levels.

Multi-domain

Binds one certificate to multiple domains or IP addresses. By default, you can add up to 5 domains, and you can add more after purchase, up to a maximum of 250.

To secure an IP address, you must use an OV certificate from a brand that supports IP addresses.

Wildcard domain

Uses the format *.aliyundoc.com to match all same-level subdomains. The asterisk * matches only one subdomain level.

For example, a wildcard domain *.aliyundoc.com matches www.aliyundoc.com and a.aliyundoc.com, but not a.b.aliyundoc.com or c.d.aliyundoc.com.

  • Supports only DV and OV certificates.

  • You can include only one wildcard domain per certificate application.

    Note

    To combine multiple wildcard domain certificates into one, see Certificate Consolidation Request.

Hybrid domain

A single certificate contains a mix of domain types, such as *.aliyundoc.com and demo.example.com.

Note

During the purchase or application process, you can merge multiple certificates of the same brand and type to create a hybrid domain certificate. For instructions, see Purchase a commercial SSL certificate or Certificate Consolidation Request.

  • OV and EV certificates: All brands support merging.

  • DV certificates: Only WoSign and GlobalSign support merging.

  • GlobalSign DV hybrid domain certificates require all domains to share the same root domain. For example, if the root domain is aliyundoc.com, you can only merge its subdomains, such as a.aliyundoc.com and a.b.aliyundoc.com. Merging other root domains, such as aliyundoc.cn or aliyundoc01.com, is not supported.

IP address

Binds a single certificate to one public IPv4 address.

Only OV single-domain certificates from GlobalSign, DigiCert, GeoTrust, vTrus, and CFCA support IP address binding.

Note

After a certificate is purchased and issued, it may include additional domains for free if certain conditions are met. For more information, see Rules for free domains included with SSL certificates.

Encryption algorithm (RSA / ECC / SM2)

International standard algorithms

  • RSA: An asymmetric encryption algorithm known for its excellent compatibility and widespread adoption.

  • ECC (elliptic curve cryptography): A modern asymmetric encryption algorithm that offers stronger security, faster performance, and lower resource consumption compared to RSA and is now widely supported by major browsers.

Item

RSA algorithm

ECC algorithm

Security and key length

Requires a longer key length. Supported key lengths are 2048-bit and 4096-bit.

Achieves the same security level with a much smaller key length.

  • 256-bit: Equivalent in security to a 2048-bit RSA key.

  • 384-bit: Equivalent in security to a 3072-bit RSA key.

Performance / Speed

Slower.

Faster, especially in resource-constrained environments like mobile and Internet of Things (IoT) devices.

Memory and CPU usage

High.

Low.

Compatibility

High.

Good, but not as widespread as RSA.

Chinese national standard algorithms

SM2: An elliptic curve public-key cryptography algorithm published by the State Cryptography Administration of China. It is used in China's commercial cryptography system as an alternative to RSA. SSL certificates using the SM2 algorithm are intended for users who require SM cryptographic compliance.

The following table lists the encryption algorithms supported by each SSL certificate brand and type.

Certificate brand

Certificate type

RSA

ECC

SM2

Signature algorithm

Key length

Signature algorithm

Key length

Signature algorithm

Key length

SHA256withRSA

SHA384withRSA

2048

4096

SHA256withECDSA

SHA384withECDSA

prime256v1

secp384r1

SM3withSM2

sm2p256v1

DigiCert

DV

Supported

Supported

Supported

Supported

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

OV

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Not supported

Not supported

EV

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Not supported

Not supported

GeoTrust

OV

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Not supported

Not supported

EV

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Not supported

Not supported

GlobalSign

DV

Supported

Supported

Supported

Supported

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

OV

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Not supported

Not supported

Rapid

DV

Supported

Supported

Supported

Supported

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

vTrus

(domestic brand)

DV

Supported

Not supported

Supported

Not supported

Not supported

Not supported

Not supported

Not supported

Supported

Supported

OV

Supported

Not supported

Supported

Not supported

Not supported

Not supported

Not supported

Not supported

Supported

Supported

CFCA

(domestic brand)

OV

Supported

Not supported

Supported

Supported

Not supported

Not supported

Not supported

Not supported

Supported

Supported

EV

Supported

Not supported

Supported

Supported

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

WoSign

(domestic brand)

DV

Supported

Supported

Supported

Supported

Not supported

Not supported

Not supported

Not supported

Supported

Supported

Note

By default, SSL certificates are signed with the SHA256withRSA or SHA256withECDSA signature algorithm. You cannot select a signature algorithm that uses the SHA384 hash function on the Certificate Management Service console. To issue a certificate with this signature algorithm, you must create a CSR file locally and upload it to the console. For more information, see How to Create a CSR File and Upload CSR.

Certificate brands

When choosing a certificate brand, consider factors such as its supported validation levels, domain types, encryption algorithms, and price, as well as your business requirements and budget.

Note

If you need help choosing a certificate brand, contact a technical expert through pre-sales/post-sales support. For more information, see expert one-on-one service.

International brands

Certificate brand

Description

Advantages

DigiCert

DigiCert (formerly Symantec) is a leading global certificate authority (CA) and a trusted SSL certificate brand.

  • Supports the Norton Secured Seal

  • Supports RSA and ECC encryption algorithms

Rapid

Rapid is a sub-brand of DigiCert. It was formerly known as the GeoTrust DV certificate and was renamed to Rapid in late January 2022. For more information, see [Change] Notice on GeoTrust DV Certificate Name Change.

Supports the RSA encryption algorithm

GeoTrust

GeoTrust is a sub-brand of DigiCert (formerly Symantec) and is the world's second-largest certificate authority (CA).

  • Stable service

  • Supports the Norton Secured Seal

  • Supports RSA and ECC encryption algorithms

GlobalSign

GlobalSign is one of the earliest certificate authorities (CAs). The company specializes in cybersecurity certification and digital certificate services and is a trusted provider of SSL certificates. Major e-commerce websites such as Tmall and Taobao use GlobalSign brand certificates.

  • Supports the Norton Secured Seal

  • Supports RSA and ECC encryption algorithms

Domestic brands

Certificate brand

Description

Advantages

CFCA

China Financial Certification Authority (CFCA) is WebTrust-certified, adheres to globally unified auditing standards, and is a member of the CA/Browser Forum. CFCA certificates meet the SSL compliance requirements for domestic industries like government and finance.

  • Global trust and compatibility: Its root certificates are pre-installed on major platforms like Microsoft, Apple, Google Android, and Mozilla. These certificates are issued by an authoritative Chinese digital certificate authority and are trusted globally.

  • Multi-algorithm support: Supports RSA, ECC, and SM2 encryption algorithms.

  • Service guarantee: Provides 7×24 financial-grade security support and a comprehensive risk coverage plan.

  • Transparent business rules: CFCA provides a Chinese-language certification practice statement (CPS) that clearly defines the rights and obligations throughout the certificate lifecycle.

Note

CFCA brand certificates do not support iOS 10.1 or earlier, or Android 6.0 or earlier.

vTrus

vTrus is a domestic SSL certificate brand from Tianwei Trust. Built on international trust roots, it balances domestic compliance needs with compatibility across major global environments.

  • High compatibility: Compatible with mainstream operating systems and browsers.

  • Multi-algorithm support: Supports RSA and SM2 encryption algorithms.

WoSign

WoSign is a domestic SSL certificate brand suited for cost-sensitive scenarios.

  • Flexible plans: Offers multiple pricing tiers to fit different budgets.

  • Multi-algorithm support: Supports RSA and SM2 encryption algorithms.

Supported algorithms and domain types by brand:
If you are familiar with certificate types, domain types, encryption algorithms, and certificate brands, use the table below to quickly select the right certificate.



Certificate brand

Type

Encryption algorithm

Domain type

DigiCert

DV (personal test certificate)

RSA

single domain

OV

RSA, ECC

single domain, multi-domain, wildcard domain

EV

RSA

single domain, multi-domain

GeoTrust

OV

RSA, ECC

single domain, multi-domain, wildcard domain

EV

RSA

single domain, multi-domain

GlobalSign

DV

RSA

single domain, wildcard domain

OV

RSA, ECC

single domain, multi-domain, wildcard domain

Rapid

DV

RSA

single domain, wildcard domain

vTrus (domestic brand)

DV

RSA, SM2

single domain, wildcard domain

OV

RSA, SM2

single domain, multi-domain, wildcard domain

CFCA (domestic brand)

OV

RSA, SM2

single domain, multi-domain, wildcard domain

EV

RSA

single domain, multi-domain

WoSign (domestic brand)

DV

RSA, SM2

single domain, wildcard domain

Pricing

The price of an SSL certificate varies by its type, validation level, domain type, and brand. Choose a certificate that fits your requirements and budget.

Important

The prices below are for reference only. The final price is shown on the Certificate Service purchase page.

Brand category

Certificate brand

Validation level

Domain type

Price (CNY/year)

Notes

International brands

DigiCert

Individual Test Certificate (Free)

Single domain

Free

/

Individual Test Certificate (Pro)

Single domain

68 (The validity period changes to six months starting February 25, 2026. For more information, see Validity Period Changes.)

/

DV

Wildcard domain

2,000

/

OV

Single domain

  • DigiCert: 5,600

  • DigiCert Pro: 8,992

/

Wildcard domain

40,000

/

EV

Single domain

  • DigiCert: 8,992

  • DigiCert Pro: 16,800

/

GeoTrust

OV

Single domain

2,778

/

Wildcard domain

7,278

/

Multi-domain

12,290

Includes 5 single domains by default.

EV

Single domain

6,000

/

Multi-domain

19,260

Includes 5 single domains by default.

GlobalSign

DV

Single domain

1,980

/

Wildcard domain

6,930

/

OV

Single domain

3,728

/

Wildcard domain

13,048

/

Rapid

DV

Single domain

378

/

Wildcard domain

1,788

/

Domestic brands (SM2)

vTrus

DV

Single domain

1,200

/

Wildcard domain

3,000

/

OV

Single domain

4,000

/

Wildcard domain

12,000

/

CFCA

OV

Single domain

4,000

/

Wildcard domain

15,000

/

EV

Single domain

10,000

/

WoSign

DV

Single domain

880

/

Wildcard domain

2,640

/

Purchase a certificate

FAQ

Expired personal test certificates

Personal test certificates do not support automatic renewal. Before the certificate expires, log on to the Certificate Management Service (Original SSL Certificate) console to apply for a new certificate and replace the old one on your web server.

Note

If you reach the annual limit of 20 certificates, you can purchase a commercial certificate instead.

Certificates for IP addresses

Choose an OV single-domain certificate that supports IP addresses. When purchasing, select an OV certificate from one of the following brands: GlobalSign, DigiCert, GeoTrust, vTrus, or CFCA. When applying, enter your public IP address.

Redeployment after renewal or reissuance

Yes. Each renewal or reissuance generates a new certificate. You must download the new certificate and deploy it to your web server to replace the old one.

Note

If you renew your certificate for multiple years and used Cloud Product Deployment for the previous certificate, Certificate Management Service (Original SSL Certificate) will automatically deploy the new one using Cloud Product Managed Deployment after it is issued. If the deployment fails, you will receive a notification by text message, email, and internal message.

Does a wildcard certificate (for example, *.aliyundoc.com) include the root domain (aliyundoc.com)?

Yes. A certificate for a wildcard domain also includes the root domain for free. For example, a certificate for *.aliyundoc.com also protects aliyundoc.com.

Note

After a certificate is purchased and issued, it may include additional domains for free if certain conditions are met. For more information, see Rules for free domains included with SSL certificates.

SM (SM2) certificates

SM2 is a commercial cryptographic algorithm published by the State Cryptography Administration of China. If your business, particularly for government, finance, or state-owned enterprise projects, requires "SM cryptography transformation" or "classified protection compliance", choose a certificate from a domestic brand that supports the SM2 algorithm. For general websites and overseas services, the standard international RSA or ECC algorithms are sufficient.